Hi everyone,
Im relatively new to php and I am looking for help.
I have a script:
// DB info
$db = mysql_connect($host, $user, $pass);
$db_connect = mysql_select_db($name, $db);
if ($db_connect) {
$SQL = "SELECT * FROM $table"; $result = mysql_query($SQL); {
while ($db_field = mysql_fetch_assoc($result)) {
print "Your key from the db is: " . $db_field['key'] . "<br />";
}
}
mysql_close($db);
}
else {
print "Database NOT Found ";
mysql_close($db);
}
The database entry can be anything, im sure some of you can see where i am going with this.
This means someone can stick a nice little malicious <script> tag in there, or anything of nastyness.
I have been reading about str_replace etc and see this as a valid way to go, however I am an idiot and have tried several mashup ways of doing it according to several internet articles, none of them work or throw back errors, so obviously I am doing something wrong.
I have also looked at htmlspecialentities, however It is not just < > etc etc characters that I want to do a str_replace on, I would like to future proof the application so that I can also do str_replace on any peice of data.
Any help would be lovely.
